TECHZONE™

Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem https://thehackernews.com/2026/05/typosquatting-is-no-longer-user-problem.html AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, and what detection actually requires. Download the CISO Expert Guide to Typosquatting in the AI Era → TL;DR  Typosquatting is no longer a user problem. Attackers now embed lookalike domains inside legitimate third-party scripts.

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. "Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'" the

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack https://thehackernews.com/2026/05/grafana-github-breach-exposes-source.html Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories. "After the initial assessment, we found that in addition to source

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. "While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises,

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps https://thehackernews.com/2026/05/trapdoor-android-ad-fraud-scheme-hit.html Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN's Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud. "Users

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly

INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests https://thehackernews.com/2026/05/interpol-operation-ramz-disrupts-mena.html INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More https://thehackernews.com/2026/05/weekly-recap-exchange-0-day-npm-worm.html Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

How to Reduce Phishing Exposure Before It Turns into Business Disruption https://thehackernews.com/2026/05/how-to-reduce-phishing-exposure-before.html What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread. Early phishing detection closes that gap. It helps teams move from uncertainty to evidence faster,

Developer Workstations Are Now Part of the Software Supply Chain https://thehackernews.com/2026/05/developer-workstations-are-now-part-of.html Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code. Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks. "External control of a file name

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP. The list of identified packages is below - chalk-tempalte (825 Downloads) @deadcode09284814/axios-util (284 Downloads) axois-utils (963 Downloads) color-style-utils (934 Downloads) "One of the packages (chalk-tempalte)

Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations https://thehackernews.com/2026/05/pre-stuxnet-fast16-malware-tampered.html A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations. According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design. "Fast16's hook engine is selectively interested in

MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma, the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver,

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It

Why geopolitical turmoil is a gift for scammers, and how to stay safe https://www.welivesecurity.com/en/scams/geopolitical-turmoil-gift-scammers-how-stay-safe/ Conflict is a boon for opportunistic fraudsters. Look out for their ploys.

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB)